tag:blogger.com,1999:blog-10100029924564626992017-08-16T02:54:40.162+02:00Yarda's devel blogAnnouncements about news from projects I am working on. The blog is targeted to HW/SW development, ham radio and others.Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-1010002992456462699.post-68873339226009012412016-12-27T19:02:00.001+01:002016-12-27T19:02:31.356+01:00Fix Xvid playback in Media Foundation in Windows 10 after Xvid codec installation<p>Currently there are two frameworks/APIs for media playback in Windows 10. Older DirectShow and newer Media Foundation (MF). The latter is used by e.g. Universal Windows Platform (UWP) applications/apps (formerly Metro applications/apps). With 64 bit OS both APIs are there twice - for 32 bits and 64 bits. This means four places where things could break.</p> <p>One breakage I have recently encountered is with the free and open-source (FOSS) Xvid codec/software. When this software (version 1.3.4 build 20150621) is installed it breaks Xvid (MPEG-4 ASP with FourCC set to XVID) videos playback in MF. This is painful because the default application for video playback in Windows 10 is UWP based app called zunevideo (or TwinUI, or Movies & TV). The problem manifests as a black screen during Xvid playback in the zunevideo. Unfortunately the zunevideo doesn't show any error or message what's wrong and what's worse the uninstallation of the Xvid codec/software doesn't fix the problem.</p> <p>Upon analysis of the problem it seems that the Xvid doesn't support MF, but the Xvid installer removes mappings of XVID to MS codec and doesn't return it after uninstallation. I reported the problem to Xvid upstream. To fix the problem the following registry edits which re-adds mappings of xvid/XVID to MP4V can be used:</p> <pre><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MapVideo4cc]<br />"58564944"=dword:5634504d<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MapVideo4cc]<br />"78766964"=dword:5634504d<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\MapVideo4cc]<br />"58564944"=dword:5634504d<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\MapVideo4cc]<br />"78766964"=dword:5634504d<br /></pre> <p>The first line maps FourCC "58564944" ("XVID" in ASCII) to FourCC 0x5634504d ("MP4V" in ASCII Little-Endian). The second line do the same for the same FourCC, but in lower case ("xvid" in ASCII). The last two lines do the same as the first two lines, but for 32 bits. This fixes the Xvid playback in MF for me.</p>Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-13512436681511044072016-03-09T15:13:00.000+01:002016-03-09T15:13:51.615+01:00Remote web monitoring of 3D printers through Pronterface<p>I have recently dug into Pronterface code and realized that there is simple RPC server built-in. It listens on localhost and it's really cool feature for remote monitoring, so I hacked KISS (Keep It Simple and Stupid) PHP code that allows querying the RPC server through the web. The code can query multiple running Pronterfaces and it's no problem to monitor multiple 3D printers which are connected to the same host. Running instances of Pronterface are automatically detected. It also queries all connected V4L compatible webcameras, which means that you can check progress of printers visually. With the current code you can check temperatures (bed, extruder), Z position, status of the current print task including task/file name, ETA, finished percentage.</p> <p>The code with instructions is available from github: <a href="https://github.com/yarda/printrun-webmon/">https://github.com/yarda/printrun-webmon/</a>. Feel free to pull request patches.</p>Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-48024038795637885192015-09-18T16:21:00.000+02:002015-10-07T21:34:45.627+02:00How to get Chinese 2.4 TFT LCD ILI9341 based Arduino Uno shield working<p>These Chinese Arduino Uno TFT LCD shields are neat and very cheap, so I couldn't resist and got one from Banggood. As with nearly everything Chinese, there are several versions and revisions around and it's usually surprise which one you will recieve. It seems my shield came with ILI9341 controller although there is written ILI9340 on the board (I didn't disassemble it, but I assume it according to the shield behaviour). I tried to get it working with Adafruit TFTLCD-Library, but it ended with "Unknown LCD driver chip: C0C0" and white screen. So I dug a bit deep into this problem. It quickly turned out that the chip needs a bit longer delay for reset to start responding. For my shield it seems that additional 5 milliseconds are enough. Then it correctly identified itself as ILI9341. But it still didn't display anything, there was only the whitescreen.</p> <p>I read both ILI9340 and ILI9341 datasheets and found out that my chip has extended registers which are not handled by the original code. I verified content of these registers with the datasheet and it revealed that the "Pump ratio control" register is set to 0x0 after the reset. According to the datasheet this is 'reserved' value and after the reset the content of this register should be set to 0x20 (which means 2xVCI). Maybe my chip revision is newer than my datasheet or maybe this is some HW glitch but this again validated the basic rule known to embedded developers: "never ever rely on the default values after the reset". So I added initialization for the extended registers. I also improved chip select (CS) handling in the code which allows sharing of the data ports with other peripherals. I did some other minor improvements and bug fixes to the code. All of the changes should be harmless to older HW. Even the initialization of the extended registers should work on chips without extended registers, because according to the datasheet, such initialization should be handled as NOP commands. I pull requested the changes to <a href="https://github.com/adafruit/TFTLCD-Library/pull/17">Adafruit</a>, there is the direct link to the related <a href="https://github.com/yarda/TFTLCD-Library/commit/bdb2652aa5cc20cc6a754ec59a19388a97f7f6fc">commit</a>. It seems the shield has different orientation of the display than the Adafruit library expects, thus you need to uncomment <i>#define ILI9341_MIRROR_X 1</i> and comment <i>#define ILI9341_MIRROR_Y 1</i> in <i>Adafruit_TFTLCD.h</i> to fix the orientation.</p> <p>Regarding the touchscreen it's classic 4 wire resistive digitizer which can be handled by e.g. Adafruit TouchScreen library. The only thing that you need to setup is which pins the touchscreen is connected to. Unfortunately it is not written on the kit, but it's possible to locate the connections visually and with the multimeter. The wiring of my shield is following: <table><tr><td>A1</td><td>Y+</td></tr><tr><td>A2</td><td>X-</td></tr><tr><td>D6</td><td>X+</td></tr><tr><td>D7</td><td>Y-</td></tr></table></p> <p>Unfortunately my shield came with broken electrode, so my touchscreen didn't work, but I checked the correct functionality of the code on my friend's shield. I was refunded by Banggood without problems, so I ordered another shield and will keep this broken shield for projects that do not require touchscreen. You can see the detail of the broken electrode here: <div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-rHDL141agn8/VfwVmeF63LI/AAAAAAAAB4I/PYIo_PrQKOM/s1600/display.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-rHDL141agn8/VfwVmeF63LI/AAAAAAAAB4I/PYIo_PrQKOM/s320/display.jpg" /></a></div> </p> <p>There is picture of the working shield kindly lent me by my friend: <div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-FklfD0PxBeg/VfwXkxs8f6I/AAAAAAAAB4U/B32-w7J3F1w/s1600/IMG_20150918_143521.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-FklfD0PxBeg/VfwXkxs8f6I/AAAAAAAAB4U/B32-w7J3F1w/s320/IMG_20150918_143521.jpg" /></a></div> </p> <p>I downloaded the code for this simple painting application somewhere on the internet and modified it to work with my shield. The modified code is available for <a href="https://fedorapeople.org/~jskarvad/arduino/tftpaint.ino">download</a>. There was no licensing information in the original code, so hopefully the license status of this code is OK (free/public domain). If not, please let me know. In the application you can draw by your stylus/finger, select colors on the side and clear the display by tapping on the opposite display side.</p> <p><b>Update 2015/10/07</b><br/>I received replacement display and the shipment was pretty fast. This time there is written ILI9341 on the PCB. It again proved that the development runs pretty fast in China and they usually finish new iteration sooner than you receive your previous order. The display works correctly now. But it seems the digitizer X/Y pins are reversed in comparison with the previous display. I am not sure whether it is wanted feature of the new PCB or bug, but it doesn't matter. The digitizer wiring is now following: <table><tr><td>A1</td><td>X-</td></tr><tr><td>A2</td><td>Y+</td></tr><tr><td>D6</td><td>Y-</td></tr><tr><td>D7</td><td>X+</td></tr></table></p>Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-33486510877315040002015-07-15T11:54:00.000+02:002015-07-15T11:54:54.938+02:00Fix Internet Explorer dowloading .EXE files as _EXE<p>I encountered it on Windows 8.1 Pro 64 bit, but the following observations may apply to other versions as well. It seems to be quite common issue, but I wasn't able to find any resolution for it on the Internet not counting disabling of the IE Protected Mode (PM) or creation of new user profile. Disabling of the PM is not good way to go, because it needlessly increases number of potential attack vectors. Creation of new user profile is easy fix for single user, but pain in case there are dozens user accounts facing this issue. That's why I dug deeper into it.</p> <p>I quickly realised that this problem is mostly faced by users whose profile have been moved/copied to different drive. At first I compared registry dumps for user not facing the problem (let's call her/him "good user") and user facing the problem (let's call her/him "bad user"). Initially I thought that this obviously over-engineered PM feature stores drives UUIDs in registry hives, but the comparison of registry hives didn't reveal anything supporting this assumption.</p> <p>Next I moved to <i>Process Monitor</i> to observe what's going there. I noticed a lot of "access denied" return codes from the <i>CreateFile</i> calls, all of them ending somewhere in the PM <i>InetCache</i> under <i>%LOCALAPPDATA%\Packages\windows_ie_ac_001\AC</i>. This also caused a bit delay when the download was initiated. Then after some delay, the Internet Explorer showed dialog box that it cannot download the file. If "retry" button was clicked, it used some different, probably backup directory and the file was saved with <i>_exe</i> suffix instead of <i>.exe</i>.</p> <p>I checked ACL of the <i>InetCache</i> path, but it seemed OK. Even so I tried to give full access to everyone for this directory and sub-directories (it is generally not good idea, but I wonder what will happen). But it didn't help. Really strange, so I tried comparing ACLs of "good user" with "bad user". It revealed that there is <i>SID</i> of otherwise non-existent user <i>S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394</i> with full access rights on the path. I always enjoy such hacks :). I used the following command to fix the problem (I ran it multiple times with <i>%LOCALAPPDATA%</i> replaced by the user LOCALAPPDATA path, e.g. <i>C:\users\user1\AppData\Local</i>):</p><pre><br />icacls %LOCALAPPDATA%\Packages\windows_ie_ac_001\AC /grant<br />"*S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394":(OI)(CI)F /c<br /></pre> <p>Unfortunately there still persisted some user accounts that weren't fixed by this command. I rechecked one such account with the <i>Process Monitor</i> and it revealed that Internet Explorer created its <i>InetCache</i> on virtualised path which broke the PM. It seems that for correct PM function it's not enough if <i>Users</i> group or the group user is member of have full access to user profile, but it requires the user to be explicitly listed on the ACL of the profile directory and it's subdirectories. So I finally used the following command to fix the rest of affected user accounts (again ran multiple times):</p><pre><br />icacls %USERPROFILE% /grant %USERNAME%:(OI)(CI)F /c /t<br /></pre> <p>Later I realized that in my case the problem was probably caused by relocation script used for moving of user profiles. This script called <i>robocopy</i> command without the <i>/copyall</i> parameter. But there can be probably more sources of this problem (e.g. filesystem / ACL corruption caused by machine crash or installation of buggy drivers/SW, etc.).</p>Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-63166474329618122082014-08-29T14:11:00.000+02:002014-08-29T14:12:01.842+02:00Firefox: Re-enable prompt asking you whether you want to save your tabs on exit<p>Firefox usually asks whether you want to save your tabs on exit if you have <code>browser.showQuitWarning = true</code> in your <code>about:config</code>. If you check "Do not ask next time" it will not ask you again. The question is how to re-enable this prompt. You already set the following:</p> <pre><br />browser.showQuitWarning = true<br />browser.tabs.warnOnClose = true<br />browser.tabs.warnOnCloseOtherTabs = true<br />browser.warnOnQuit = true<br /></pre> <p>But it still doesn't show the prompt. The corresponding setting is hidden behind <code>browser.startup.page</code>. Just locate it in <code>about:config</code>, right click on it and select "Reset". Restart Firefox and viola, the prompt is back. You can also re-enable this through the UI, go to "Edit -> Preferences -> General -> When Firefox starts" and change "Show my windows and tabs from last time" to "Show my home page" or "Show a blank page". A bit illogical on the first sight, but it works. This was tested on Firefox 31.0.<p>Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-87052462045057630942013-07-01T23:30:00.002+02:002013-07-02T10:31:46.070+02:00HW mod: Increase USB power on Raspberry Pi early rev. 1 boards<p>The early Raspberry PI (RPI) boards had polyfuses on the USB ports. They are electronic resettable 140 mA fuses. The problem is that they do not have zero ohm resistance. This means that by increasing the power drawn from the USB port the voltage drop across the polyfuse increases. By drawing approx. 100 mA and more from the USB port the voltage drops bellow the value allowed by the USB specification and the connected USB devices may behave incorrectly. I encountered this when I was backporting the R820T tuner driver to the kernel 3.9 (needed for some RTL2832 based DVB-T dongles). Some of the DVB-T cards I had worked OK, some exhibited random failures during I2C writes to the R820T registers which resulted in occasional kernel panics.</p> <p>You can workaround this by using a USB powered hub or you can fix the RPI PCB. The fix is simple - just bypass the F1 and F2 polyfuses. This fix is already implemented on the later rev. 1 and rev. 2 boards, so the later boards don't exhibit this problem. You can remove the polyfuses and short the pins, but an easier approach is to leave the polyfuses on the PCB and just short them out by wire or just by tin. You will still have the protection from the main F3 polyfuse (0.7 A). The other advantage of this mod is that it will allow you to power the RPI from the USB hubs / devices that provide power upstream.</p> <div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-5nnX_AL6ngA/UdHtjFejB0I/AAAAAAAAA_g/MBYOiKy0vGk/s1024/rpi-usb-mod.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-5nnX_AL6ngA/UdHtjFejB0I/AAAAAAAAA_g/MBYOiKy0vGk/s320/rpi-usb-mod.jpg" /></a></div> </p>The F1 and F2 polyfuses are green (at least on my RPI boards) and are located near the status LEDs. This modification is applicable only to the early rev. 1 boards. They probably have the HW revision code 2 or less. You can get the HW revision code by running:</p><pre>cat /proc/cpuinfo</pre></p>If your HW revision code is 3 or above this problem is already fixed on your board.</p>Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-51539852890104297392013-06-14T10:15:00.001+02:002013-06-14T10:15:10.905+02:00Use Windows screensavers in Linux for screen locking<p>This arise from the discussion with one person who we tried to migrate to Linux. Her argument was that she would miss the Bubble screensaver :). No doubt, the new D3D Windows screensavers are cool and especially for the Bubbles screensaver there is currently no Linux counterpart. But the argument doesn't stand, here is the quick and dirty solution - the Wine:</p> <ul><li>Copy the screensaver, e.g. for the bubble screensaver copy the \Windows\System32\Bubbles.scr to the /opt/screensavers/ directory (or elsewhere).</li><li>Install the xlockmore package</li><li>Run the screensaver by: <pre>xlock -mode blank -geometry 0x0 \<br />-startCmd "wine /opt/screensavers/Bubbles.scr /s"</pre></li></ul> <p>The trick is to instruct the xlock to blank the screen area consisting of zero number of pixels, so the display is let unmodified for the screensaver. This was tested on the Fedora 18 and Xfce and worked OK. If you need to configure the screensaver, you can run it with the /c parameter. Unfortunately the Bubbles screensaver doesn't have implemented the configuration dialog and the command will fail, but there are still some <a href="http://www.techrepublic.com/blog/window-on-windows/unlocking-the-bubbles-screen-savers-hidden-settings-in-vista/632">hidden settings</a> you can alter through the registry. I focused only on the technical side of the problem, not the legal one, but I think it shouldn't be problem in case there is valid Windows license for the machine (e.g. machine with dual-boot).</p>Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-54008277583377409402013-04-07T22:12:00.000+02:002013-04-07T22:24:46.801+02:00Tip: using oath-toolkit for HOTP/TOTP authenticationI packaged <i>oath-toolkit</i> for Fedora and it is currently submitted for the <a href="http://bugzilla.redhat.com/show_bug.cgi?id=949324">merge review</a>. The toolkit provides <i>oathtool</i> which can be used as a generator for HOTP/TOTP (e.g. to authenticate against LinOTP). Usage is very simple, for HOTP: <pre>$ oathtool -c COUNTER SEED</pre>And for TOTP: <pre>$ oathtool --totp SEED</pre>The package also provides library and header files and more complex applications/GUIs can be easily based on it. There is also PAM module included that allows you to use your HOTP/TOTP HW/SW token for authentication against your machines (e.g. sshd). To enable it for sshd add the following line to the top of your /etc/pam.d/sshd: <pre>auth sufficient pam_oath.so usersfile=/etc/users.oath window=20 digits=6</pre>This will setup the SSH for 6 digits HOTP/TOTP and will check through the 20 values (the tolerance). Then create the /etc/users.oath file and add there a list of allowed users together with their prefix passwords (PINs) and seeds, e.g.: <pre><br />HOTP/T30 root pw 00<br />HOTP user1 - 01<br /></pre>In the example above, the user <i>root</i> is configured for 30 seconds TOTP with the prefix password (PIN) <i>pw</i> and seed <i>00</i>, the user <i>user1</i> has no prefix password and uses the seed <i>01</i>. As the file contains seeds and plain text PINs, do not forget to chown it to <i>root:root</i> and chmod it to <i>600</i>. For correct function the "UsePAM yes" and "PasswordAuthentication yes" also needs to be specified in your /etc/ssh/sshd_config. Currently it may not work correctly with the SELinux (for details see the <a href="http://bugzilla.redhat.com/show_bug.cgi?id=949324">merge review</a>).Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-35704149251691640332013-03-24T18:38:00.000+01:002013-03-24T18:38:09.224+01:00Fix: mediawiki@openshift is not saving user preferencesI encountered this when running Mediawiki through HTTPS/TLS on Openshift. The POST queries with full URLs didn't work - it resulted in inability to save user preferences, upload files and maybe there are other weird problems. After short debugging it showed that the problem is in the HTTPS detection in Mediawiki code. The code uses _SERVER['HTTPS'] == 'on' check which according to the PHP documentation is not correct - the Amazon's load balancer sets this to '1' instead of 'on'. It seems that the latest Mediawiki 1.20.3 is also affected by this so I filled <a href="http://bugzilla.wikimedia.org/show_bug.cgi?id=46511">http://bugzilla.wikimedia.org/show_bug.cgi?id=46511</a>. The patch against mediawiki-1.16 (the Openshift Mediawiki example) is attached.Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-79515530532673332692013-02-15T17:52:00.000+01:002013-02-15T17:52:30.966+01:00Tip: Learn n900 to understand Map1.euRecently the alpha version of Map1.eu got online. It's nice project whose aim is to provide an all-purpose map of the whole Europe suitable for outdoor activities like hiking, biking, skiing or geocaching. The project is based on OpenStreetMap data. The great thing is that it contains hiking trails for both Czech and Slovakia. But the best thing is that it can be easily integrated into n900, the procedure: <ol><li>Install Mappero, e.g. "apt-get install maemo-mapper"</li><li>Click Mappero -> Maps -> Tiles -> New, for Name, UniqID, Cache dir fill e.g. Map1.eu, as URL use http://alpha.map1.eu/tiles/%d/%d/%d.jpg, Type: XYZ_INV, Format: JPEG, click Save.</li><li>Click Mappero -> Maps -> Tiles -> Repositories -> New, fill in the following: Name: e.g. Map1.eu, Min zoom: 5, Max zoom: 17, Zoom step: 1, Tiles: Map1.eu, click Save.</li><li>Restart Mappero.</li><li>In Mappero -> Maps -> Map repository select the Map1.eu</li></ol> And you are done. The great thing is that you can also use this map offline, just download the tiles: in Mappero -> Maps -> Manage Maps... select Area (the current view is preselected) and interested zoom levels, click OK and the map will be downloaded for offline use. Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-83289218077129715392012-09-26T16:18:00.002+02:002012-09-26T16:18:58.697+02:00Datovka - Interface to Czech Databox (AKA Datové schránky)<p>Recently, I packaged "Datovka" for Fedora. It's GUI application for access to <a href="http://www.datoveschranky.info/">Czech Databox (AKA Datové schránky)</a> - an electronic communication interface endorsed by the Czech government. There is also python-dslib library for accessing the databox programatically. It was implemented by <a href="http://www.nic.cz/">CZ.NIC</a>. You can also access the databox from WWW interface now as it was recently redesigned to work without Windows plugin, but this GUI application and library could bring you more comfort and automation possibility.</p>Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-75997276946681453082012-09-18T16:50:00.000+02:002012-09-19T10:06:54.604+02:00Intel AMT quickstart guide<h3>Introduction</h3> <p>Intel Active Management Technology (AMT) is very interesting technology and today it is built-in in many Intel based laptops, but many owners have no idea that their machine can do it nor how to use this technology in practice. No wonder, the Intel official documentation is not easy to read. It is full of enterprise shortcuts and buzzwords. That's why I wrote this very simple quickstart guide.</p> <p>Intel AMT allows you to remotely configure, control and provision your machine. You don't need another separate management card, everything is already built-in in your machine. It is OS independent and shares your network interface transparently with OS. It processes network packets before OS. It is accessible even if the machine is off, booting or hung. There is also possibility to enable this functionality on wireless network card. There is built-in WWW server for easy human control (e.g. power on/off/reboot), but unfortunately there isn't many functions provided by WWW server. For more advanced control the WS-management needs to be used. It also supports CIM bindings. The following DMTF WS-Management specifications are generally supported:</p><ul><li>DSP0226 Web Services for Management (WS Management)</li><li>DSP0227 WS-Management CIM Binding Specification</li><li>DSP0230 WS-CIM Mapping Specification</li></ul> <p>For more details see <a href="http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/DOCS/Implementation%20and%20Reference%20Guide/default.htm?turl=WordDocuments%2Fsupportforwsmanagementinintelamt.htm">Intel documentation</a>.</p> <p>So what can you do with it in practice? You can remotely redirect the boot process to e.g. network share, mount a remote image (IDER), you can access and change BIOS settings, redirect input/output through KVM, packet filter/block/inspect/ or rate limit network traffic, access a persistent event log that is stored in protected memory and much more. But remember, it is over-engineered enterprise class technology, thus the configuration and activation of these features is not always apparent :).</p> <p>Intel AMT is built into chipset. The supported features are defined by AMT version number. You can upgrade the AMT firmware but only over minor releases. It is not possible to flash the firmware with bigger major number, because it would be incompatible with your physical hardware. Handy list of AMT versions with matching chipsets is available on <a href="http://en.wikipedia.org/wiki/Intel_AMT_versions">Wikipedia.</a> KVM is available from AMT version 6.0 and up. For working KVM you need recent enough board and chipset that support at least Intel AMT 6.0. You also need supported CPU (with integrated video card that is utilized for this functionality).</p> <h3>AMT activation</h3> <p>At first you need to enable it in BIOS and reboot. Then in the early boot screen enter the Management Engine (ME) by pressing CTRL + P (or F12 on some machines). Login into ME, use ''admin'' for both username and password. Than change the default password. Remember this is enterprise class technology :) thus it has to be complex enough password that contains mixed case characters, digits and special characters, otherwise the password is rejected by ME (it took me a while to come with the right password for the first time :). Enable ME (it may require reboot and login with your new pasword). Then configure ME, at least set the network. You can use static configuration (with secondary IP used for the ME and different IP for the host OS) or DHCP (with one IP shared with the host OS) and it can also be set to automatically synchronize with host OS IP. Also do not forget to set the hostname - this is important, otherwise the machine will not be remotely accessible. Switch mode to SMB (Small Business) management mode. Do not use the Enterprise mode (it can be used together with Active Directory). And finally reboot.</p> <p>Now you should be able to access the AMT web interface. Open your web browser and point it to <a class="external free" href="http://machine:16992/" rel="nofollow" title="http://MACHINE:16992">http://YOURMACHINE:16992.</a> You will probably need to do it from another machine, not the one, you are trying to control. Observe the web interface, nice heh?</p> <h3>More stuff</h3> <p>In Fedora there is nice package called ''amtterm''. It includes Perl script (''amttool'') that can query info, power up/down, configure network, redirect BIOS boot messages and also redirect the boot process. There is also command line serial terminal that is also called ''amtterm'' and graphical terminal called ''gamt''. To use the serial line remotely you need to enable the Serial Over LAN (SOL) in the ME configuration (after boot). Then the OS should see another serial port. Then you can configure your Fedora to use this serial port as boot console or you can even configure your Grub to use this serial port for remote OS selection (but the OS selection didn't work correctly for me with grub2/f17/t420s). To enable it add to /etc/default/grub the following lines (my AMT serial port was ttyS0):</p> <pre><br />GRUB_TERMINAL=serial<br />GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0"<br /></pre> <p>Also add 'console=tty0 console=ttyS0,115200' to your GRUB_CMDLINE_LINUX in /etc/default/grub (and you can remove the 'rhgb quiet'). Then regenerate your grub2 config:</p><pre><br /># grub2-mkconfig -o /boot/grub2/grub.cfg<br /></pre>Now you can connect from remote machine by e.g.:<br /><pre><br />$ amtterm YOURMACHINE<br /></pre> <h3>KVM</h3> <p>That's all great, but the really cool stuff is KVM. It is possible to connect through VNC to your machine and control it remotely, even browse your BIOS setup :). Remember you need at least Intel AMT 6.0 and supported CPU for this to work. You can use out-of-band KVM. This is RFB packed into AMT authenticated and possibly TLS encrypted stream, thus special client is needed. There are several commercial clients, mostly for windows like RealVNC Viewer Plus that can do it out-of-the box. There is also <a href="http://software.intel.com/en-us/articles/intel-active-management-technology-software-development-kit/">Intel AMT SDK</a>, that contains example Linux implementation of out-of-band KVM viewer. Unluckily it uses RealVNC binary that comes with evaluation license, but you can buy full license. So far not good for opensource/free software enthusiast.</p> <p>Luckily, it is possible to redirect the KVM to classic VNC 5900 port, thus any VNC client can be used. This requires a little hackish session with wsman :), but it is needed to do only once. In Fedora there is ''wsmancli'' package that can be used for this task. At first you need to set the RFB password (this is another password that will be used only for KVM, not your AMT password). Remember this is highly over-engineered enterprise technology thus the password must have exactly 8 characters and have to be combination of mixed case characters, digits and special characters, otherwise it is rejected. Then set the password through wsman: </p> <pre><br /># wsman put \<br /><a class="external free" href="http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData" rel="nofollow" title="http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData">http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData</a> \<br />-h AMT_HOST -P 16992 -u admin -p AMT_PASSWORD -k RFBPassword=RFB_PASSWORD<br /></pre> <p>Then enable KVM redirection to port 5900:</p> <pre><br /># wsman put \<br /><a class="external free" href="http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData" rel="nofollow" title="http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData">http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData</a> \<br />-h AMT_HOST -P 16992 -u admin -p AMT_PASSWORD -k Is5900PortEnabled=true<br /></pre> <p>And finally enable the KVM:</p> <pre><br /># wsman invoke -a RequestStateChange \<br /><a class="external free" href="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_KVMRedirectionSAP" rel="nofollow" title="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_KVMRedirectionSAP">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_KVMRedirectionSAP</a> \<br />-h AMT_HOST -P 16992 -u admin -p AMT_PASSWORD -k RequestedState=2<br /></pre> <p>You can also query the current settings by: </p> <pre><br /># wsman get \<br /><a class="external free" href="http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData" rel="nofollow" title="http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData">http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData</a> \<br />-h AMT_HOST -P 16992 -u admin -p AMT_PASSWORD<br /></pre> <p>By default there is opt-in policy enabled. This means that the remote access must be explicitly allowed by local user. Upon VNC connection the AMT generates OTP PIN, that is shown on the local screen as HW overlay. This OTP PIN is required as a second authentication for the VNC access. The local user tells this PIN to the remote user to allow him to connect. If opt-in policy is disabled no OTP PIN is required for access, but there is still shown OSD indicator on the local screen that the remote connection is in progress. Disable opt-in policy by:</p> <pre><br /># wsman put \<br /><a class="external free" href="http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData" rel="nofollow" title="http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData">http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData</a> \<br />-h AMT_HOST -P 16992 -u admin -p AMT_PASSWORD -k OptInPolicy=false<br /></pre> <p>Now you can simply connect with your favorite VNC viewer.</p> <h3>Clean-up</h3> <p>To cleanup ME configuration, enter BIOS setup and disable AMT. Save and reboot. During the reboot the AMT firmware will ask you whether you really want to unconfigure it. Confirm and then the unconfiguration starts. It takes a while (again it is enterprise technology :) and when the unconfiguration finish, the machine reboots. Now the AMT is deactivated and for next activation all settings (including password) will be on their defaults.</p>Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com7tag:blogger.com,1999:blog-1010002992456462699.post-88053852297259094112012-08-01T22:46:00.003+02:002012-08-01T22:46:58.446+02:00Fedora/RHEL development on GentooI was unhappy that I couldn't develop Fedora/RHEL on my loved Gentoo, thus I created <a href="https://github.com/yarda/gentoo-fedora">portage overlay</a> with Fedora/RHEL development tools. It is in early stage, but it should be usable. There is still more work to do, e.g. ebuilds cleanup, USE flag addition, Python test suite enablement, Python3 support addition, etc. If you are Gentoo enthusiast, feel free to try. <a href="http://fedorapeople.org/%7Ejskarvad/fedora-overlay.xml">Layman XML </a>is also available. For more details see <a href="https://github.com/yarda/gentoo-fedora/wiki">project wiki</a>. Enjoy and don't forget to report bugs :)Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-51191985536046344412011-12-03T16:21:00.001+01:002011-12-05T09:15:15.443+01:00UHD support in Fedora's GNU RadioThe UHD is the "Universal Software Radio Peripheral" hardware driver. The goal of the UHD is to provide a host driver and API for current and future Ettus Research products. There is a nice presentation about UHD at <a href="http://gnuradio.org/redmine/attachments/download/255/04-blum-uhd_presentation_gnuradio_2011.pdf">http://gnuradio.org/redmine/attachments/download/255/04-blum-uhd_presentation_gnuradio_2011.pdf</a>. More information can be also found at UHD homepage: <a href="http://code.ettus.com/redmine/ettus/projects/uhd/wiki">http://code.ettus.com/redmine/ettus/projects/uhd/wiki</a>. The UHD can be also used with USRP1/2 as libusrp1/2 replacement. <br /><br />Currently in Fedora the UHD is supported in Rawhide (F17) and it is the only way how to control the Ettus products from Rawhide's GNU Radio 3.5. Support for F16 is also on the way. In F16 both libusrp and libuhd will be supported from GNU Radio 3.4.Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-60660328761787016122011-12-02T16:47:00.000+01:002011-12-02T16:57:19.659+01:00Multiple groups matching in cnucnuCnucnu is a tool that provides upstream release monitoring service with bugzilla<br />integration. It can monitor upstream projects of your interest and alert you everytime the new version is released. This tool is already deployed in Fedora project infrastructure. If you want to monitor your packages in Fedora simply follow steps on: <a href="http://fedoraproject.org/wiki/Upstream_Release_Monitoring">http://fedoraproject.org/wiki/Upstream_Release_Monitoring</a>. <br /><br />Cnucnu will then check the preset URL and compare with the package versions in Fedora. If newer version is found, bug is filled. All what you need to get this work is to correctly set the URL and correct regex for your package. Currently there are templates for mostly used patterns, but if your package uses special naming you will have to create custom regex. You can develop the regex interactively by running:<br /><pre>cnucnu --shell<br /></pre>Then specify URL to check and iteratively develop the regex. The regex specify what to look for on the URL. You also need to specify how looks the version substring. In the recent version of cnucnu the first group match (part of the regex enclosed by parenthesis) was used for this. The problem arise if you specify more than one group. In such case the cnucnu hangs. This is not good, thus I reported the <a href="http://bugzilla.redhat.com/show_bug.cgi?id=759467">problem</a> to bugzilla and created <a href="http://bugzilla.redhat.com/attachment.cgi?id=539671&action=diff">simple patch</a> that fixes this. The patch concatenates all results from all groups together (the dot is used as separator). This also allows you to parse more complex strings than before, simple example:<br /><pre>package-004_001.tar.gz<br />regex: package-0*(\d+)_0*(\d+).tar.gz<br /></pre>Cnucnu without patch will hang when parsing this. Cnucnu with patch parses this as version 4.1. Hopefully the patch will be integrated soon.Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-35513893110749472322011-10-20T15:34:00.000+02:002011-11-24T14:28:25.670+01:00Turn your laptop into Wi-Fi AP with hostapd<p>Sometimes it can be useful to turn your laptop into Wi-Fi AP and quickly share your resources (e.g. internet connection) to others. This can make you new friends especially during conferences and similar events :). Of course supported HW is needed to get this work. Current status of linux drivers can be checked on the <a href="http://linuxwireless.org/en/users/Drivers">Linux Wireless drivers status page</a>. Look for AP mode and cfg80211 - this is the preferred combination. But several non mac80211 drivers can also be used with the hostapd. For more details visit the <a href="http://w1.fi/hostapd/">hostapd homepage</a>. If your HW is supported, the easiest way is probably to use the dnsmasq and hostapd. In Fedora install them by:</p><pre># yum install dnsmasq hostapd</pre><h3>Simple script to set things up</h3><p>You can use the following script for going on the air quickly (it is prepared for mac80211 drivers, others would require editing):</p><pre>#!/bin/bash<br /><br />WANIF="eth0" # Interface connected to internet<br />LANIF="wlan0" # Interface that will serve the LAN, e.g. Wi-Fi card<br />COUNTRYCODE="CZ" # regulationary ISO/IEC 3166-1 Alpha-2 countrycode<br />MODE="g" # mode a,b,g<br />CHANNEL="11" # channel to use<br />ESSID="MY_NET" # SSID to use<br />KEY="my_pass" # password to use<br />LANIP="192.168.101.1" # IP to use on your LAN interface<br />DHCP_POOL_START="192.168.101.3" # First IP to assign to clients<br />DHCP_POOL_END="192.168.101.254" # Last IP to assign to clients<br /><br /># Enable packet forwarding<br />sysctl -w net.ipv4.ip_forward=1<br /># Enable handling of dynamic IPs (e.g. on WANIF)<br />sysctl -w net.ipv4.ip_dynaddr=1<br />ifconfig $LANIF $LANIP<br /><br /># Start hostpad<br />hostapd -BP /var/run/hostapd.pid <(cat <<:end<br />interface=$LANIF<br />driver=nl80211<br />logger_syslog=-1<br />logger_syslog_level=2<br />logger_stdout=-1<br />logger_stdout_level=2<br />debug=0<br />dump_file=/tmp/hostapd.dump<br />ctrl_interface=/var/run/hostapd<br />ctrl_interface_group=0<br />country_code=$COUNTRYCODE<br />CHANNEL=$CHANNEL<br />ssid=$ESSID<br />hw_MODE=$MODE<br /># 1 to enable only clients with MAC listed in accept_mac_file<br />macaddr_acl=0<br />#accept_mac_file=/etc/hostapd/hostapd.accept<br />auth_algs=1<br /># Workaround for WinXP (only if only broadcast keys are used)<br />eapol_KEY_index_workaround=0<br /># Beacon interval in 1.024 ms<br />beacon_int=100<br /><br /># Wireless Multimedia Extension/Wi-Fi Multimedia needed for<br /># IEEE 802.11n (HT)<br />wmm_enabled=1<br /># 1 to enable 802.11n<br />ieee80211n=0<br /><br /># WEP/WPA/WPA2 bitmask, 0 for open/WEP, 1 for WPA, 2 for WPA2<br />wpa=2<br /><br /># WPA2 settings<br />wpa_passphrase=$KEY<br />wpa_KEY_mgmt=WPA-PSK<br />rsn_pairwise=CCMP<br /><br /># WEP settings<br /># WEP key length should be 5 (40 bit), 13 (64 bit) or<br /># 16 (128 bit) chars<br />#wep_KEY0="$KEY"<br />#wep_default_KEY=0<br />:end<br />)<br /><br />dnsmasq -i $LANIF --dhcp-range=$DHCP_POOL_START,$DHCP_POOL_END<br /><br /># FWD: Allow all connections OUT and only existing and related IN<br />iptables -I FORWARD -i $WANIF -o $LANIF -m state \<br /> --state ESTABLISHED,RELATED -j ACCEPT<br />iptables -I FORWARD -i $LANIF -o $WANIF -j ACCEPT<br /><br /># Enabling SNAT (MASQUERADE) functionality on $WANIF<br />iptables -t nat -I POSTROUTING -o $WANIF -j MASQUERADE<br /></pre><p>For permanent setup it is better to transfer your hostapd settings into /etc/hostapd/hostapd.conf and your dnsmasq settings into /etc/dnsmasq.conf. Then you will be able to start and manage the services through sysvinit / systemd or whatever your system uses. Finally, for permantent setup you will also need to add the two sysctls (in Fedora to /etc/sysctl.conf) and iptables rules (in Fedora to /etc/sysconfig/iptables).</p><h3>Ralink cards</h3><p>Personally I tried this on my netbook with integrated 802.11n card (rt2800pci). There is quick howto on the <a href="href="http://rt2x00.serialmonkey.com/wiki/index.php/AP-mode_Howto">rt2x00 project page</a>. But it didn't work for me - the client was unable to associate and I was getting in the log: "IEEE 802.11: did not acknowledge association response". I found the resolution of this problem on the <a href="http://eznemegy.blog.hu/2008/12/14/using_rt2x00_wireless_driver_with_hostapd">Ez nem egy blog</a>. The author stated there that the driver is unable to ack several frames, but the hostapd needs them to be acked. The simple hack is to patch the hostapd to blindly assume it gets acked. I used the following patch (it differs from the original one from the above link by not logging the errors):</p><pre>diff -up src/ap/ieee802_11.c.orig src/ap/ieee802_11.c<br />--- src/ap/ieee802_11.c.orig 2010-09-07 17:43:39.000000000 +0200<br />+++ src/ap/ieee802_11.c 2011-10-08 21:02:17.000000000 +0200<br />@@ -1475,13 +1475,6 @@ static void handle_auth_cb(struct hostap<br /> u16 auth_alg, auth_transaction, status_code;<br /> struct sta_info *sta;<br /> <br />- if (!ok) {<br />- hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,<br />- HOSTAPD_LEVEL_NOTICE,<br />- "did not acknowledge authentication response");<br />- return;<br />- }<br />-<br /> if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {<br /> printf("handle_auth_cb - too short payload (len=%lu)\n",<br /> (unsigned long) len);<br />@@ -1518,13 +1511,6 @@ static void handle_assoc_cb(struct hosta<br /> int new_assoc = 1;<br /> struct ieee80211_ht_capabilities ht_cap;<br /> <br />- if (!ok) {<br />- hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,<br />- HOSTAPD_LEVEL_DEBUG,<br />- "did not acknowledge association response");<br />- return;<br />- }<br />-<br /> if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :<br /> sizeof(mgmt->u.assoc_resp))) {<br /> printf("handle_assoc_cb(reassoc=%d) - too short payload "<br /></pre>Then it worked like a charm. <p>I also tried the rt73usb based dongle. This one shouldn't work according to <a href="http://rt2x00.serialmonkey.com/wiki/index.php/AP-mode_Howto">rt2x00 project page</a>, because they don't know how to get the status messages (ACK/FAIL) for sent packets from the HW. I think there should be a way how to get the ACKs, because the Windows driver works OK. The simple association hack from the above is not enough here, probably more blindly acks would be needed. This is really dirty solution, so I give it up for today. I will look on this more deep later.</p>Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0tag:blogger.com,1999:blog-1010002992456462699.post-23750603125496588202011-08-04T13:00:00.000+02:002011-08-04T13:00:57.931+02:00WelcomeWelcome to Yarda's blog. I woulld like to present here announcements about news from projects I am working on. The blog&nbsp;would be&nbsp;especially targeted to HW/SW development, ham radio and others.Jaroslav Škarvadahttps://plus.google.com/111850454371280987069noreply@blogger.com0